CVE-2018-15601
Description
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Elefant CMS 2.0.3, the file upload handler performs URL decoding after extension checks, allowing executable file uploads.
Vulnerability
The vulnerability exists in Elefant CMS version 2.0.3 in apps/filemanager/handlers/upload/drop.php. The upload mechanism attempts to block executable files (with extensions such as .php, .phtml, .js, .rb, .py, .pl, .sh, .bash, or .exe) by checking the file extension using a regular expression. However, the call to urldecode() on the filename is performed after this extension check, not before. This means that if an attacker URL-encodes characters in the filename (e.g., shell%2ephp), the extension check sees the encoded version (which does not match the blocked patterns), but the file is saved with the decoded name (e.g., shell.php), bypassing the protection [1][2].
Exploitation
An attacker must have access to the file upload functionality typically available to authenticated users with appropriate permissions to upload files. The attacker crafts a filename that includes a URL-encoded representation of the dot character (e.g., %2e) before a blocked extension (e.g., %2ephp). The filename, such as shell%2ephp, passes the regex check because the dot is encoded. After the check passes, the urldecode() call converts %2e back to ., resulting in the file shell.php being written to the server [2].
Impact
A successful attack allows an unauthenticated (or low-privileged) user to upload arbitrary executable files (PHP, etc.) to the server. This can lead to remote code execution (RCE) by subsequently accessing the uploaded file, and the attacker can achieve full compromise of the web application and potentially the underlying server [1].
Mitigation
The issue was fixed in commit afb3346 to the Elefant CMS repository. The fix moves the urldecode() call to occur before the extension check, so the decoded extension is evaluated [2]. Users should update to a version of Elefant CMS that includes this commit (version 2.0.4 or later). If an upgrade is not immediately possible, a workaround is to disable file upload functionality or apply the commit patch manually. No KEV listing exists for this CVE.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elefant/cmsPackagist | < 2.0.4 | 2.0.4 |
Affected products
1Patches
1afb3346e50b9Decode file names before restricting extensions
1 file changed · +3 −3
apps/filemanager/handlers/upload/drop.php+3 −3 modified@@ -37,14 +37,14 @@ return; } +// some browsers may urlencode the file name +$_FILES['file']['name'] = urldecode ($_FILES['file']['name']); + if (preg_match ('/\.(php5?|phtml|js|rb|py|pl|sh|bash|exe)$/i', $_FILES['file']['name'])) { echo json_encode (array ('success' => false, 'error' => __ ('Cannot upload executable files due to security.'))); return; } -// some browsers may urlencode the file name -$_FILES['file']['name'] = urldecode ($_FILES['file']['name']); - if (@file_exists ($root . $_POST['path'] . '/' . $_FILES['file']['name'])) { echo json_encode (array ('success' => false, 'error' => __ ('A file by that name already exists.'))); return;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-pcf7-5974-vjh4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15601ghsaADVISORY
- github.com/jbroadway/elefant/commit/afb3346e50b992bcba143660ca2149e563430e05ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.